Comparing Linux and Microsoft Windows for Enterprise Usage

Selling Linux in the Enterprise often is a tough job, but with the right information, you can start making the case for Linux.

Host-Based Firewalls—Windows Firewall

The Windows firewall included in Server 2008 and Windows 7 is a great
improvement over previous incarnations. It filters on packets, IP
addresses and source/destination program, and its management GUI is easy
to use. However, it lacks some of the advanced features found in
Linux-based firewalls. In contrast, Linux has been wed to open-source firewall
development in near lockstep since ipchains and now iptables. Although
many admins still prefer the text-based administration of iptables, there are
many easy-to-use GUI-based interfaces, such as the one found in SUSE
through Yet another Setup Tool (YaST, Figure 3). Unfortunately, these
tools often limit access to advanced features, such as port redirection,
IP translation and quality of service, which can be accessed from the
command line. To be fair, some of these capabilities are available in
Server 2008 by adding other modules (RRAS) or products (ISA), but that
adds another layer of administration and cost where Linux possesses them
out of the box. Some admins may feel that firewalls are not a significant
factor in enterprise security except in the perimeter. Others suggest
that firewalls are more important now than ever, because technologies like
the cloud and mobile computing are erasing the traditional boundaries
of the perimeter. Only time will tell.

The last decade easily could have been labeled the Decade of
the Patch. Because of the ever-evolving security landscape, new
vulnerabilities are discovered daily. Don't get me wrong. Security
researchers provide an invaluable service to the industry, but sometimes when
I have to push patches en masse daily, I pine for the old days when I could
just push a single service pack every so often. Patching is not solely a
Microsoft phenomenon. Vulnerabilities exist in Linux as well. Most modern
operating systems worth their salt include a native updating mechanism
to address flaws and vulnerabilities. In Windows, it is Automatic Updates
for individual systems or Windows Software Update Services (WSUS) for
managing a large number of systems. Microsoft has done well with both
programs and should be applauded for their maturation in the last five
years. Like its name implies, Automatic Updates automates the patching
of host systems through a Control Panel interface. WSUS adds reporting
features and the ability to centralize patch distribution, although the
process for approving, denying and/or superseding patches can be kludgy.

Linux updating mechanisms vary by distribution, but share similar
functionality with their Microsoft counterparts. Debian-based systems have
apt, Red Hat-based systems have Yellowdog Updater Modified (YUM), and
SUSE has YaST (which provides a graphical front end to the ZYpp package management engine).
Each tool is easy to automate and includes the ability
to resolve dependency issues prior to an update. They also share the
ability to deploy local repositories to reduce bandwidth consumption as
with WSUS, but to achieve the nicer dashboard and reporting features
of WSUS requires subscription-based services, such as Red Hat Network
(Figure 4) or Landscape from Canonical (Figure 5).

Figure 4. Managing Your System via Red Hat Network

Figure 5. Canonical's Landscape Service for Ubuntu

Basic Network Services—Microsoft DNS/DHCP

DNS and DHCP are production network roles where many Linux servers make
their entry into an enterprise. Although these services may seem boring,
they form the backbone of the modern enterprise. On the Microsoft side, we
have the proprietary versions of DNS and DHCP included in Server 2008.
Both are configured using the Server Manger utility and then administered
through their respective mmc consoles. Microsoft has integrated
its versions of DNS and DHCP deeply with Active Directory (AD) and a multitude
of its proprietary network services. Although on the surface this may not
seem like a problem, a single misconfiguration can affect multiple parts
of the Microsoft infrastructure (AD, Exchange and so on). On the Linux
side, we
have the Berkeley Internet Name Domain (BIND), the standards-based market
leader. BIND is a dependable workhorse that has enough flexibility to
support Active Directory and keep DNS administration separate from other
parts of the infrastructure. You can administer BIND through the command
line or GUI tools like the Red Hat BIND Configuration Tool (Figure 6).

Figure 6. Red Hat's BIND Configuration Tool

Alongside DNS, DHCP is a critical, though overlooked network service. It
also is an excellent springboard for Linux in a new environment. It
is low impact and can integrate into almost any existing network with
little interruption. DHCP is available in most distros, and tools like
those found in YaST make administration a snap (Figure 7). DNS and DHCP
usually can be combined on a single server, as is found in many Microsoft
environments, but with a smaller footprint.

Trending Topics

Webinar: 8 Signs You’re Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
11am CDT, April 29th

Join Linux Journal and Pat Cameron, Director of Automation Technology at HelpSystems, as they discuss the eight primary advantages of moving beyond cron job scheduling. In this webinar, you’ll learn about integrating cron with an enterprise scheduler.